Adversaries are more and more abusing Telegram as a “command-and-control” system to distribute malware into organizations that might then be used to seize delicate info from focused methods.
“Even when Telegram just isn’t put in or getting used, the system permits hackers to ship malicious instructions and operations remotely by way of the moment messaging app,” stated researchers from cybersecurity agency Verify Level, who’ve recognized no fewer than 130 assaults over the previous three months that make use of a brand new multi-functional distant entry trojan (RAT) referred to as “ToxicEye.”
Using Telegram for facilitating malicious actions just isn’t new. In September 2019, an info stealer dubbed Masad Stealer was discovered to plunder info and cryptocurrency pockets information from contaminated computer systems utilizing Telegram as an exfiltration channel. Then final 12 months, Magecart groups embraced the identical tactic to ship stolen cost particulars from compromised web sites again to the attackers.
The technique additionally pays off in quite a few methods. For a begin, Telegram just isn’t solely not blocked by enterprise antivirus engines, the messaging app additionally permits attackers to stay nameless, given the registration course of requires solely a cell quantity, thereby giving them entry to contaminated units from nearly any location internationally.
The most recent marketing campaign noticed by Verify Level is not any completely different. Unfold by way of phishing emails embedded with a malicious Home windows executable file, ToxicEye makes use of Telegram to speak with the command-and-control (C2) server and add information to it. The malware additionally sports activities a variety of exploits that enables it to steal information, switch and delete recordsdata, terminate processes, deploy a keylogger, hijack the pc’s microphone and digital camera to file audio and video, and even encrypt recordsdata for a ransom.
Particularly, the assault chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT’s configuration file, earlier than compiling it into an executable (e.g. “paypal checker by saint.exe”). This .EXE file is then injected right into a decoy Phrase doc (“resolution.doc”) that, when opened, downloads and runs the Telegram RAT (“C:UsersToxicEyerat.exe”).
“We’ve got found a rising development the place malware authors are utilizing the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations,” Verify Level R&D Group Supervisor Idan Sharabi stated. “We imagine attackers are leveraging the truth that Telegram is used and allowed in virtually all organizations, using this technique to carry out cyber assaults, which may bypass safety restrictions.”